From 8577035c120b5dc6a424df14802d05dc2f83ad65 Mon Sep 17 00:00:00 2001 From: Ortagus Winfrey <85191667+OWinfreyATL@users.noreply.github.com> Date: Mon, 18 Nov 2024 21:14:57 -0500 Subject: [PATCH 01/19] November 2024 Whats new items --- docs/fundamentals/whats-new.md | 155 +++++++++++++++++++++++++++++++++ 1 file changed, 155 insertions(+) diff --git a/docs/fundamentals/whats-new.md b/docs/fundamentals/whats-new.md index 32b9d088263..dd3f4681371 100644 --- a/docs/fundamentals/whats-new.md +++ b/docs/fundamentals/whats-new.md @@ -27,6 +27,161 @@ For a more dynamic experience, you can now find this information in the Microsof > [!NOTE] > If you're currently using Azure Active Directory today or are have previously deployed Azure Active Directory in your organizations, you can continue to use the service without interruption. All existing deployments, configurations, and integrations continue to function as they do today without any action from you. +## November 2024 + +### Public Preview - Microsoft Entra new store for certificate-based authentication + +**Type:** New feature +**Service category:** Authentications (Logins) +**Product capability:** User Authentication + +Microsoft Entra ID has a new scalable **PKI (Public Key Infrastructure) based CA** (Certificate Authorities) store with higher limits for the number of CAs and the size of each CA file. PKI based CA store allows CAs within each different PKI to be in its own container object allowing administrators to move away from one flat list of CAs to more efficient PKI container based CAs. PKI-based CA store now supports up to 250CAs, 8KB size for each CA and also supports issuers hints attribute for each CA. Administrators can also upload the entire PKI and all the CAs using the "Upload CBA PKI" feature or create a PKI container and upload CAs individually. + +--- + +### Changed feature - expansion of WhatsApp as an MFA one-time passcode delivery channel for Entra ID + +**Type:** Changed feature +**Service category:** MFA +**Product capability:** User Authentication + +In late 2023, Entra started leveraging WhatsApp as an alternate channel to deliver multifactor authentication (MFA) one-time passcodes to users in India and Indonesia. We saw improved deliverability, completion rates, and satisfaction when leveraging the channel in both countries. The channel was temporarily disabled in India in early 2024. Starting early December 2024, we will be re-enabling the channel in India, and expanding its use to additional countries. + +Starting December 2024, users in India, and other countries can start receiving MFA text messages via WhatsApp. Only users that are enabled to receive MFA text messages as an authentication method, and already have WhatsApp on their phone, will get this experience. If a user with WhatsApp on their device is unreachable or doesn’t have internet connectivity, we will quickly fall back to the regular SMS channel. In addition, users receiving OTPs via WhatsApp for the first time will be notified of the change in behavior via SMS text message. + +If you don’t want your users to receive MFA text messages through WhatsApp, you can disable text messages as an authentication method in your organization or scope it down to only be enabled for a subset of users. Please note that we highly encourage organizations move to using more modern, secure methods like Microsoft Authenticator and passkeys in favor of telecom and messaging app methods. For more information, see: [Text message verification](../identity/authentication/concept-authentication-phone-options.md#text-message-verification). + +--- + +### Public Preview - bring your own 3rd party email OTP provider for Microsoft Entra External ID + +**Type:** New feature +**Service category:** B2C - Consumer Identity Management +**Product capability:** 3rd Party Integration + +Bring your own favorite email provider for email OTPs of sign-in and sign-up flows to Microsoft Entra External ID. You can use Azure Communication Service (ACS), or true 3rd party of choice making your authentication experiences consistently branded. + + +--- + +### Public Preview - Updating profile photo in MyAccount + +**Type:** New feature +**Service category:** My Profile/Account +**Product capability:** End User Experiences + +On November 13, 2024, users received the ability to update their profile photo directly from their [MyAccount](https://myaccount.microsoft.com/) portal. This change exposes a new edit button on the profile photo section of the user’s account. + +In some environments, it’s necessary to prevent users from making this change. Global Administrators can manage this using a tenant-wide policy with Microsoft Graph API, following the guidance in the [Manage user profile photo settings in Microsoft 365](/graph/profilephoto-configure-settings) document. + +--- + +### Public Preview - Conditional Access What If API + +**Type:** New feature +**Service category:** Conditional Access +**Product capability:** Access Control + +The Conditional access *What If* API can be used to programmatically test the impact of conditional access policies on user and workload identity signins. + +--- + +### Retirement - MFA Fraud Alert will be retired on March 1st 2025 + +**Type:** Deprecated +**Service category:** MFA +**Product capability:** Identity Security & Protection + +Microsoft Entra multifactor authentication (MFA) [fraud alert](../identity/authentication/howto-mfa-mfasettings.md#fraud-alert) allows end users to report MFA voice calls, and Microsoft Authenticator push requests, they didn't initiate as fraudulent. Beginning March 1, 2025, MFA Fraud Alert will be retired in favor of the replacement feature [Report Suspicious Activity](../identity/authentication/howto-mfa-mfasettings.md#report-suspicious-activity) which allows end users to report fraudulent requests, and is also integrated with [Identity Protection](../id-protection/overview-identity-protection.md) for more comprehensive coverage and remediation. To ensure users can continue reporting fraudulent MFA requests, organizations should migrate to using Report Suspicious Activity, and review how reported activity is remediated based on their Microsoft Entra licensing. For more information, see: [Configure Microsoft Entra multifactor authentication settings](../identity/authentication/howto-mfa-mfasettings.md). + +--- + +### Public Preview - Universal CAE + +**Type:** New feature +**Service category:** Other +**Product capability:** Network Access + +Universal CAE revokes, and revalidates, network access in near real-time whenever Microsoft Entra ID detects changes to the identity. For more information, see: [Universal Continuous Access Evaluation (Preview)](../global-secure-access/concept-universal-continuous-access-evaluation.md). + +--- + +### Change Announcement - Updates to “Target resources” in Microsoft Entra Conditional Access + +**Type:** Changed feature +**Service category:** Conditional Access +**Product capability:** Identity Security & Protection + +The Microsoft Entra Conditional Access '*Target resources*' assignment has a consolidated view for the "*Cloud apps*", and "*Global Secure Access*" options under a new name "*Resources*". + +Customers can now target "All internet resources with Global Secure Access", "All resources (formerly 'all cloud apps'), or select specific resources (formerly "select apps"). For more information, see: [Conditional Access: Target resources](../identity/conditional-access/concept-conditional-access-cloud-apps.md). + +--- + +### General Availability - Dedicated new 1p resource application to enable AD to Microsoft Entra ID sync using Microsoft Entra Connect Sync or Cloud Sync + +**Type:** Changed feature +**Service category:** Provisioning +**Product capability:** Directory + +As part of ongoing security hardening, Microsoft will deploy a dedicated 1st party application to enable the synchronization between Active Directory and Microsoft Entra ID. This new application, called the "Microsoft Entra AD Synchronization Service" (Application Id: 6bf85cfa-ac8a-4be5-b5de-425a0d0dc016) will be provisioned in customer tenants using Microsoft Entra Connect Sync, or Microsoft Entra Cloud Sync service. + +In the upcoming release(s), you will receive communications around deprecation of the current 1st party app that’s used for syncing between Active Directory and Microsoft Entra ID that would require you to update to the latest version of either Microsoft Entra Connect Sync, or Microsoft Entra Cloud Sync. + +--- + +### General Availability - Dynamic Administrative Units + +**Type:** New feature +**Service category:** RBAC +**Product capability:** AuthZ/Access Delegation + +Dynamic membership for users and devices in Administrative Units is now Generally Available. Instead of manually assigning users and devices to administrative units, tenant admins can set up a query for the administrative unit. The membership will be automatically maintained by Microsoft Entra ID. For more information, see: [Manage users or devices for an administrative unit with rules for dynamic membership groups](../identity/role-based-access-control/admin-units-members-dynamic.md). + +--- + +### Public Preview - Microsoft Entra Health Monitoring, Alerts Feature + +**Type:** Changed feature +**Service category:** Other +**Product capability:** Monitoring & Reporting + +Intelligent alerts in Microsoft Entra health monitoring notify tenant admins, and security engineers, whenever a monitored scenario breaks from its typical pattern. Microsoft Entra's alerting capability watches the low-latency health signals of each scenario, and fires a notification in the event of an anomaly. The set of alert-ready health signals and scenarios will grow over time. This alerts feature is now available in Microsoft Entra Health as an API-only public preview release (UX release is scheduled for February 2025). For more information, see: [How to use Microsoft Entra Health monitoring alerts (preview)](../identity/monitoring-health/howto-use-health-scenario-alerts.md). + +--- + +### General Availability - Microsoft Entra Health Monitoring, Health Metrics Feature + +**Type:** New feature +**Service category:** Reporting +**Product capability:** Monitoring & Reporting + +Microsoft Entra health monitoring, available from the Health pane, includes a set of low-latency pre-computed health metrics that can be used to monitor the health of critical user scenarios in your tenant. The first set of health scenarios includes MFA, CA-compliant devices, CA-managed devices, and SAML authentications. This set of monitor scenarios will grow over time. These health metrics are now released as general availability data streams, in conjunction with the public preview of an intelligent alerting capability. + +--- + +### General Availability - Log analytics sign-in logs schema is in parity with MSGraph schema + +**Type:** Plan for change +**Service category:** Authentications (Logins) +**Product capability:** Monitoring & Reporting + +To maintain consistency in our core logging principles, we've addressed a legacy parity issue where the Azure Log Analytics sign-in logs schema did not align with the MSGraph sign-in logs schema. The updates include fields such as ClientCredentialType, CreatedDateTime, ManagedServiceIdentity, NetworkLocationDetails, tokenProtectionStatus, SessionID, among others. These changes will take effect in the first week of December 2024. + +We believe this enhancement will provide a more consistent logging experience. As always, you can perform pre-ingestion transformations to remove any unwanted data from your Azure Log Analytics storage workspaces. For guidance on how to perform these transformations, see: [Data collection transformations in Azure Monitor](/azure/azure-monitor/essentials/data-collection-transformations). + +--- + +### Deprecated - MIM hybrid reporting agent + +**Type:** Deprecated +**Service category:** Microsoft Identity Manager +**Product capability:** Monitoring & Reporting + +The hybrid reporting agent, used to send a MIM Service event log to Microsoft Entra to surface in password reset and self-service group management reports, is deprecated. The recommended replacement is to use Azure Arc to send the event logs to Azure Monitor. For more information, see: [Microsoft Identity Manager 2016 reporting with Azure Monitor](/microsoft-identity-manager/mim-azure-monitor-reporting). + +--- + ## October 2024 ### Public Preview - Passkey authentication in brokered Microsoft apps on Android From c4a607b7a7d1df55b4edf706e36357da60de08ab Mon Sep 17 00:00:00 2001 From: Ortagus Winfrey <85191667+OWinfreyATL@users.noreply.github.com> Date: Tue, 19 Nov 2024 10:57:10 -0500 Subject: [PATCH 02/19] conditional what if removed --- docs/fundamentals/whats-new.md | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/docs/fundamentals/whats-new.md b/docs/fundamentals/whats-new.md index dd3f4681371..87d066efcb2 100644 --- a/docs/fundamentals/whats-new.md +++ b/docs/fundamentals/whats-new.md @@ -76,16 +76,6 @@ In some environments, it’s necessary to prevent users from making this change. --- -### Public Preview - Conditional Access What If API - -**Type:** New feature -**Service category:** Conditional Access -**Product capability:** Access Control - -The Conditional access *What If* API can be used to programmatically test the impact of conditional access policies on user and workload identity signins. - ---- - ### Retirement - MFA Fraud Alert will be retired on March 1st 2025 **Type:** Deprecated From 6554e8127af2858c7ca6c15def6e6d6369e5e4fd Mon Sep 17 00:00:00 2001 From: Ortagus Winfrey <85191667+OWinfreyATL@users.noreply.github.com> Date: Sun, 24 Nov 2024 15:48:25 -0500 Subject: [PATCH 03/19] No replies --- docs/fundamentals/whats-new.md | 79 ---------------------------------- 1 file changed, 79 deletions(-) diff --git a/docs/fundamentals/whats-new.md b/docs/fundamentals/whats-new.md index 87d066efcb2..82c46c7ca0e 100644 --- a/docs/fundamentals/whats-new.md +++ b/docs/fundamentals/whats-new.md @@ -29,41 +29,6 @@ For a more dynamic experience, you can now find this information in the Microsof ## November 2024 -### Public Preview - Microsoft Entra new store for certificate-based authentication - -**Type:** New feature -**Service category:** Authentications (Logins) -**Product capability:** User Authentication - -Microsoft Entra ID has a new scalable **PKI (Public Key Infrastructure) based CA** (Certificate Authorities) store with higher limits for the number of CAs and the size of each CA file. PKI based CA store allows CAs within each different PKI to be in its own container object allowing administrators to move away from one flat list of CAs to more efficient PKI container based CAs. PKI-based CA store now supports up to 250CAs, 8KB size for each CA and also supports issuers hints attribute for each CA. Administrators can also upload the entire PKI and all the CAs using the "Upload CBA PKI" feature or create a PKI container and upload CAs individually. - ---- - -### Changed feature - expansion of WhatsApp as an MFA one-time passcode delivery channel for Entra ID - -**Type:** Changed feature -**Service category:** MFA -**Product capability:** User Authentication - -In late 2023, Entra started leveraging WhatsApp as an alternate channel to deliver multifactor authentication (MFA) one-time passcodes to users in India and Indonesia. We saw improved deliverability, completion rates, and satisfaction when leveraging the channel in both countries. The channel was temporarily disabled in India in early 2024. Starting early December 2024, we will be re-enabling the channel in India, and expanding its use to additional countries. - -Starting December 2024, users in India, and other countries can start receiving MFA text messages via WhatsApp. Only users that are enabled to receive MFA text messages as an authentication method, and already have WhatsApp on their phone, will get this experience. If a user with WhatsApp on their device is unreachable or doesn’t have internet connectivity, we will quickly fall back to the regular SMS channel. In addition, users receiving OTPs via WhatsApp for the first time will be notified of the change in behavior via SMS text message. - -If you don’t want your users to receive MFA text messages through WhatsApp, you can disable text messages as an authentication method in your organization or scope it down to only be enabled for a subset of users. Please note that we highly encourage organizations move to using more modern, secure methods like Microsoft Authenticator and passkeys in favor of telecom and messaging app methods. For more information, see: [Text message verification](../identity/authentication/concept-authentication-phone-options.md#text-message-verification). - ---- - -### Public Preview - bring your own 3rd party email OTP provider for Microsoft Entra External ID - -**Type:** New feature -**Service category:** B2C - Consumer Identity Management -**Product capability:** 3rd Party Integration - -Bring your own favorite email provider for email OTPs of sign-in and sign-up flows to Microsoft Entra External ID. You can use Azure Communication Service (ACS), or true 3rd party of choice making your authentication experiences consistently branded. - - ---- - ### Public Preview - Updating profile photo in MyAccount **Type:** New feature @@ -76,50 +41,6 @@ In some environments, it’s necessary to prevent users from making this change. --- -### Retirement - MFA Fraud Alert will be retired on March 1st 2025 - -**Type:** Deprecated -**Service category:** MFA -**Product capability:** Identity Security & Protection - -Microsoft Entra multifactor authentication (MFA) [fraud alert](../identity/authentication/howto-mfa-mfasettings.md#fraud-alert) allows end users to report MFA voice calls, and Microsoft Authenticator push requests, they didn't initiate as fraudulent. Beginning March 1, 2025, MFA Fraud Alert will be retired in favor of the replacement feature [Report Suspicious Activity](../identity/authentication/howto-mfa-mfasettings.md#report-suspicious-activity) which allows end users to report fraudulent requests, and is also integrated with [Identity Protection](../id-protection/overview-identity-protection.md) for more comprehensive coverage and remediation. To ensure users can continue reporting fraudulent MFA requests, organizations should migrate to using Report Suspicious Activity, and review how reported activity is remediated based on their Microsoft Entra licensing. For more information, see: [Configure Microsoft Entra multifactor authentication settings](../identity/authentication/howto-mfa-mfasettings.md). - ---- - -### Public Preview - Universal CAE - -**Type:** New feature -**Service category:** Other -**Product capability:** Network Access - -Universal CAE revokes, and revalidates, network access in near real-time whenever Microsoft Entra ID detects changes to the identity. For more information, see: [Universal Continuous Access Evaluation (Preview)](../global-secure-access/concept-universal-continuous-access-evaluation.md). - ---- - -### Change Announcement - Updates to “Target resources” in Microsoft Entra Conditional Access - -**Type:** Changed feature -**Service category:** Conditional Access -**Product capability:** Identity Security & Protection - -The Microsoft Entra Conditional Access '*Target resources*' assignment has a consolidated view for the "*Cloud apps*", and "*Global Secure Access*" options under a new name "*Resources*". - -Customers can now target "All internet resources with Global Secure Access", "All resources (formerly 'all cloud apps'), or select specific resources (formerly "select apps"). For more information, see: [Conditional Access: Target resources](../identity/conditional-access/concept-conditional-access-cloud-apps.md). - ---- - -### General Availability - Dedicated new 1p resource application to enable AD to Microsoft Entra ID sync using Microsoft Entra Connect Sync or Cloud Sync - -**Type:** Changed feature -**Service category:** Provisioning -**Product capability:** Directory - -As part of ongoing security hardening, Microsoft will deploy a dedicated 1st party application to enable the synchronization between Active Directory and Microsoft Entra ID. This new application, called the "Microsoft Entra AD Synchronization Service" (Application Id: 6bf85cfa-ac8a-4be5-b5de-425a0d0dc016) will be provisioned in customer tenants using Microsoft Entra Connect Sync, or Microsoft Entra Cloud Sync service. - -In the upcoming release(s), you will receive communications around deprecation of the current 1st party app that’s used for syncing between Active Directory and Microsoft Entra ID that would require you to update to the latest version of either Microsoft Entra Connect Sync, or Microsoft Entra Cloud Sync. - ---- - ### General Availability - Dynamic Administrative Units **Type:** New feature From 6ae801f2bad6626e31231b46694d3c81328e67b1 Mon Sep 17 00:00:00 2001 From: Ortagus Winfrey <85191667+OWinfreyATL@users.noreply.github.com> Date: Tue, 26 Nov 2024 17:38:26 -0500 Subject: [PATCH 04/19] Removed items added back --- docs/fundamentals/whats-new.md | 79 ++++++++++++++++++++++++++++++++++ 1 file changed, 79 insertions(+) diff --git a/docs/fundamentals/whats-new.md b/docs/fundamentals/whats-new.md index 82c46c7ca0e..87d066efcb2 100644 --- a/docs/fundamentals/whats-new.md +++ b/docs/fundamentals/whats-new.md @@ -29,6 +29,41 @@ For a more dynamic experience, you can now find this information in the Microsof ## November 2024 +### Public Preview - Microsoft Entra new store for certificate-based authentication + +**Type:** New feature +**Service category:** Authentications (Logins) +**Product capability:** User Authentication + +Microsoft Entra ID has a new scalable **PKI (Public Key Infrastructure) based CA** (Certificate Authorities) store with higher limits for the number of CAs and the size of each CA file. PKI based CA store allows CAs within each different PKI to be in its own container object allowing administrators to move away from one flat list of CAs to more efficient PKI container based CAs. PKI-based CA store now supports up to 250CAs, 8KB size for each CA and also supports issuers hints attribute for each CA. Administrators can also upload the entire PKI and all the CAs using the "Upload CBA PKI" feature or create a PKI container and upload CAs individually. + +--- + +### Changed feature - expansion of WhatsApp as an MFA one-time passcode delivery channel for Entra ID + +**Type:** Changed feature +**Service category:** MFA +**Product capability:** User Authentication + +In late 2023, Entra started leveraging WhatsApp as an alternate channel to deliver multifactor authentication (MFA) one-time passcodes to users in India and Indonesia. We saw improved deliverability, completion rates, and satisfaction when leveraging the channel in both countries. The channel was temporarily disabled in India in early 2024. Starting early December 2024, we will be re-enabling the channel in India, and expanding its use to additional countries. + +Starting December 2024, users in India, and other countries can start receiving MFA text messages via WhatsApp. Only users that are enabled to receive MFA text messages as an authentication method, and already have WhatsApp on their phone, will get this experience. If a user with WhatsApp on their device is unreachable or doesn’t have internet connectivity, we will quickly fall back to the regular SMS channel. In addition, users receiving OTPs via WhatsApp for the first time will be notified of the change in behavior via SMS text message. + +If you don’t want your users to receive MFA text messages through WhatsApp, you can disable text messages as an authentication method in your organization or scope it down to only be enabled for a subset of users. Please note that we highly encourage organizations move to using more modern, secure methods like Microsoft Authenticator and passkeys in favor of telecom and messaging app methods. For more information, see: [Text message verification](../identity/authentication/concept-authentication-phone-options.md#text-message-verification). + +--- + +### Public Preview - bring your own 3rd party email OTP provider for Microsoft Entra External ID + +**Type:** New feature +**Service category:** B2C - Consumer Identity Management +**Product capability:** 3rd Party Integration + +Bring your own favorite email provider for email OTPs of sign-in and sign-up flows to Microsoft Entra External ID. You can use Azure Communication Service (ACS), or true 3rd party of choice making your authentication experiences consistently branded. + + +--- + ### Public Preview - Updating profile photo in MyAccount **Type:** New feature @@ -41,6 +76,50 @@ In some environments, it’s necessary to prevent users from making this change. --- +### Retirement - MFA Fraud Alert will be retired on March 1st 2025 + +**Type:** Deprecated +**Service category:** MFA +**Product capability:** Identity Security & Protection + +Microsoft Entra multifactor authentication (MFA) [fraud alert](../identity/authentication/howto-mfa-mfasettings.md#fraud-alert) allows end users to report MFA voice calls, and Microsoft Authenticator push requests, they didn't initiate as fraudulent. Beginning March 1, 2025, MFA Fraud Alert will be retired in favor of the replacement feature [Report Suspicious Activity](../identity/authentication/howto-mfa-mfasettings.md#report-suspicious-activity) which allows end users to report fraudulent requests, and is also integrated with [Identity Protection](../id-protection/overview-identity-protection.md) for more comprehensive coverage and remediation. To ensure users can continue reporting fraudulent MFA requests, organizations should migrate to using Report Suspicious Activity, and review how reported activity is remediated based on their Microsoft Entra licensing. For more information, see: [Configure Microsoft Entra multifactor authentication settings](../identity/authentication/howto-mfa-mfasettings.md). + +--- + +### Public Preview - Universal CAE + +**Type:** New feature +**Service category:** Other +**Product capability:** Network Access + +Universal CAE revokes, and revalidates, network access in near real-time whenever Microsoft Entra ID detects changes to the identity. For more information, see: [Universal Continuous Access Evaluation (Preview)](../global-secure-access/concept-universal-continuous-access-evaluation.md). + +--- + +### Change Announcement - Updates to “Target resources” in Microsoft Entra Conditional Access + +**Type:** Changed feature +**Service category:** Conditional Access +**Product capability:** Identity Security & Protection + +The Microsoft Entra Conditional Access '*Target resources*' assignment has a consolidated view for the "*Cloud apps*", and "*Global Secure Access*" options under a new name "*Resources*". + +Customers can now target "All internet resources with Global Secure Access", "All resources (formerly 'all cloud apps'), or select specific resources (formerly "select apps"). For more information, see: [Conditional Access: Target resources](../identity/conditional-access/concept-conditional-access-cloud-apps.md). + +--- + +### General Availability - Dedicated new 1p resource application to enable AD to Microsoft Entra ID sync using Microsoft Entra Connect Sync or Cloud Sync + +**Type:** Changed feature +**Service category:** Provisioning +**Product capability:** Directory + +As part of ongoing security hardening, Microsoft will deploy a dedicated 1st party application to enable the synchronization between Active Directory and Microsoft Entra ID. This new application, called the "Microsoft Entra AD Synchronization Service" (Application Id: 6bf85cfa-ac8a-4be5-b5de-425a0d0dc016) will be provisioned in customer tenants using Microsoft Entra Connect Sync, or Microsoft Entra Cloud Sync service. + +In the upcoming release(s), you will receive communications around deprecation of the current 1st party app that’s used for syncing between Active Directory and Microsoft Entra ID that would require you to update to the latest version of either Microsoft Entra Connect Sync, or Microsoft Entra Cloud Sync. + +--- + ### General Availability - Dynamic Administrative Units **Type:** New feature From 44b733cc8072ee30de849f8197922860a5889db4 Mon Sep 17 00:00:00 2001 From: Ortagus Winfrey <85191667+OWinfreyATL@users.noreply.github.com> Date: Tue, 26 Nov 2024 18:53:42 -0500 Subject: [PATCH 05/19] updates --- docs/fundamentals/whats-new.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/fundamentals/whats-new.md b/docs/fundamentals/whats-new.md index 87d066efcb2..2489ca7f11e 100644 --- a/docs/fundamentals/whats-new.md +++ b/docs/fundamentals/whats-new.md @@ -35,7 +35,7 @@ For a more dynamic experience, you can now find this information in the Microsof **Service category:** Authentications (Logins) **Product capability:** User Authentication -Microsoft Entra ID has a new scalable **PKI (Public Key Infrastructure) based CA** (Certificate Authorities) store with higher limits for the number of CAs and the size of each CA file. PKI based CA store allows CAs within each different PKI to be in its own container object allowing administrators to move away from one flat list of CAs to more efficient PKI container based CAs. PKI-based CA store now supports up to 250CAs, 8KB size for each CA and also supports issuers hints attribute for each CA. Administrators can also upload the entire PKI and all the CAs using the "Upload CBA PKI" feature or create a PKI container and upload CAs individually. +Microsoft Entra ID has a new scalable **PKI (Public Key Infrastructure) based CA** (Certificate Authorities) store with higher limits for the number of CAs and the size of each CA file. PKI based CA store allows CAs within each different PKI to be in its own container object allowing administrators to move away from one flat list of CAs to more efficient PKI container based CAs. PKI-based CA store now supports up to 250CAs, 8KB size for each CA and also supports issuers hints attribute for each CA. Administrators can also upload the entire PKI and all the CAs using the "Upload CBA PKI" feature or create a PKI container and upload CAs individually. For more information, see: [Step 1: Configure the certificate authorities with PKI-based trust store (Preview)](/identity/authentication/how-to-certificate-based-authentication#step-1-configure-the-certificate-authorities-with-pki-based-trust-store-preview) --- From d287a37ed675897b3f56f6a27e38116319ae5e1a Mon Sep 17 00:00:00 2001 From: Ortagus Winfrey <85191667+OWinfreyATL@users.noreply.github.com> Date: Tue, 26 Nov 2024 18:59:02 -0500 Subject: [PATCH 06/19] updates --- docs/fundamentals/whats-new.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/fundamentals/whats-new.md b/docs/fundamentals/whats-new.md index 2489ca7f11e..afbb7a0d2a0 100644 --- a/docs/fundamentals/whats-new.md +++ b/docs/fundamentals/whats-new.md @@ -35,7 +35,7 @@ For a more dynamic experience, you can now find this information in the Microsof **Service category:** Authentications (Logins) **Product capability:** User Authentication -Microsoft Entra ID has a new scalable **PKI (Public Key Infrastructure) based CA** (Certificate Authorities) store with higher limits for the number of CAs and the size of each CA file. PKI based CA store allows CAs within each different PKI to be in its own container object allowing administrators to move away from one flat list of CAs to more efficient PKI container based CAs. PKI-based CA store now supports up to 250CAs, 8KB size for each CA and also supports issuers hints attribute for each CA. Administrators can also upload the entire PKI and all the CAs using the "Upload CBA PKI" feature or create a PKI container and upload CAs individually. For more information, see: [Step 1: Configure the certificate authorities with PKI-based trust store (Preview)](/identity/authentication/how-to-certificate-based-authentication#step-1-configure-the-certificate-authorities-with-pki-based-trust-store-preview) +Microsoft Entra ID has a new scalable **PKI (Public Key Infrastructure) based CA** (Certificate Authorities) store with higher limits for the number of CAs and the size of each CA file. PKI based CA store allows CAs within each different PKI to be in its own container object allowing administrators to move away from one flat list of CAs to more efficient PKI container based CAs. PKI-based CA store now supports up to 250CAs, 8KB size for each CA and also supports issuers hints attribute for each CA. Administrators can also upload the entire PKI and all the CAs using the "Upload CBA PKI" feature or create a PKI container and upload CAs individually. For more information, see: [Step 1: Configure the certificate authorities with PKI-based trust store (Preview)](../identity/authentication/how-to-certificate-based-authentication.md#step-1-configure-the-certification-authorities). --- From f4bef1602777e86a309991ea9253520df8d0e399 Mon Sep 17 00:00:00 2001 From: Ortagus Winfrey <85191667+OWinfreyATL@users.noreply.github.com> Date: Tue, 26 Nov 2024 19:14:49 -0500 Subject: [PATCH 07/19] Update --- docs/fundamentals/whats-new.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/fundamentals/whats-new.md b/docs/fundamentals/whats-new.md index 0fc9eff8bf3..f6f1f78e19d 100644 --- a/docs/fundamentals/whats-new.md +++ b/docs/fundamentals/whats-new.md @@ -35,7 +35,7 @@ For a more dynamic experience, you can now find this information in the Microsof **Service category:** Authentications (Logins) **Product capability:** User Authentication -Microsoft Entra ID has a new scalable **PKI (Public Key Infrastructure) based CA** (Certificate Authorities) store with higher limits for the number of CAs and the size of each CA file. PKI based CA store allows CAs within each different PKI to be in its own container object allowing administrators to move away from one flat list of CAs to more efficient PKI container based CAs. PKI-based CA store now supports up to 250CAs, 8KB size for each CA and also supports issuers hints attribute for each CA. Administrators can also upload the entire PKI and all the CAs using the "Upload CBA PKI" feature or create a PKI container and upload CAs individually. For more information, see: [Step 1: Configure the certificate authorities with PKI-based trust store (Preview)](../identity/authentication/how-to-certificate-based-authentication.md#step-1-configure-the-certification-authorities). +Microsoft Entra ID has a new scalable **PKI (Public Key Infrastructure) based CA** (Certificate Authorities) store with higher limits for the number of CAs and the size of each CA file. PKI based CA store allows CAs within each different PKI to be in its own container object allowing administrators to move away from one flat list of CAs to more efficient PKI container based CAs. PKI-based CA store now supports up to 250CAs, 8KB size for each CA and also supports issuers hints attribute for each CA. Administrators can also upload the entire PKI and all the CAs using the "Upload CBA PKI" feature or create a PKI container and upload CAs individually. For more information, see: [Step 1: Configure the certificate authorities with PKI-based trust store (Preview)](../identity/authentication/how-to-certificate-based-authentication.md#step-1-configure-the-certificate-authorities-with-pki-based-trust-store-preview). --- From 0abfc945ca0d0ee68f3233d53beb2af76a7b7008 Mon Sep 17 00:00:00 2001 From: Ortagus Winfrey <85191667+OWinfreyATL@users.noreply.github.com> Date: Mon, 2 Dec 2024 09:22:51 -0500 Subject: [PATCH 08/19] updates --- docs/fundamentals/whats-new.md | 55 ---------------------------------- 1 file changed, 55 deletions(-) diff --git a/docs/fundamentals/whats-new.md b/docs/fundamentals/whats-new.md index f6f1f78e19d..e10952900a6 100644 --- a/docs/fundamentals/whats-new.md +++ b/docs/fundamentals/whats-new.md @@ -51,17 +51,6 @@ Starting December 2024, users in India, and other countries can start receiving If you don’t want your users to receive MFA text messages through WhatsApp, you can disable text messages as an authentication method in your organization or scope it down to only be enabled for a subset of users. Please note that we highly encourage organizations move to using more modern, secure methods like Microsoft Authenticator and passkeys in favor of telecom and messaging app methods. For more information, see: [Text message verification](../identity/authentication/concept-authentication-phone-options.md#text-message-verification). ---- - -### Public Preview - bring your own 3rd party email OTP provider for Microsoft Entra External ID - -**Type:** New feature -**Service category:** B2C - Consumer Identity Management -**Product capability:** 3rd Party Integration - -Bring your own favorite email provider for email OTPs of sign-in and sign-up flows to Microsoft Entra External ID. You can use Azure Communication Service (ACS), or true 3rd party of choice making your authentication experiences consistently branded. - - --- ### Public Preview - Updating profile photo in MyAccount @@ -86,50 +75,6 @@ Microsoft Entra multifactor authentication (MFA) [fraud alert](../identity/authe --- -### Public Preview - Universal CAE - -**Type:** New feature -**Service category:** Other -**Product capability:** Network Access - -Universal CAE revokes, and revalidates, network access in near real-time whenever Microsoft Entra ID detects changes to the identity. For more information, see: [Universal Continuous Access Evaluation (Preview)](../global-secure-access/concept-universal-continuous-access-evaluation.md). - ---- - -### Change Announcement - Updates to “Target resources” in Microsoft Entra Conditional Access - -**Type:** Changed feature -**Service category:** Conditional Access -**Product capability:** Identity Security & Protection - -The Microsoft Entra Conditional Access '*Target resources*' assignment has a consolidated view for the "*Cloud apps*", and "*Global Secure Access*" options under a new name "*Resources*". - -Customers can now target "All internet resources with Global Secure Access", "All resources (formerly 'all cloud apps'), or select specific resources (formerly "select apps"). For more information, see: [Conditional Access: Target resources](../identity/conditional-access/concept-conditional-access-cloud-apps.md). - ---- - -### General Availability - Dedicated new 1p resource application to enable AD to Microsoft Entra ID sync using Microsoft Entra Connect Sync or Cloud Sync - -**Type:** Changed feature -**Service category:** Provisioning -**Product capability:** Directory - -As part of ongoing security hardening, Microsoft will deploy a dedicated 1st party application to enable the synchronization between Active Directory and Microsoft Entra ID. This new application, called the "Microsoft Entra AD Synchronization Service" (Application Id: 6bf85cfa-ac8a-4be5-b5de-425a0d0dc016) will be provisioned in customer tenants using Microsoft Entra Connect Sync, or Microsoft Entra Cloud Sync service. - -In the upcoming release(s), you will receive communications around deprecation of the current 1st party app that’s used for syncing between Active Directory and Microsoft Entra ID that would require you to update to the latest version of either Microsoft Entra Connect Sync, or Microsoft Entra Cloud Sync. - ---- - -### General Availability - Dynamic Administrative Units - -**Type:** New feature -**Service category:** RBAC -**Product capability:** AuthZ/Access Delegation - -Dynamic membership for users and devices in Administrative Units is now Generally Available. Instead of manually assigning users and devices to administrative units, tenant admins can set up a query for the administrative unit. The membership will be automatically maintained by Microsoft Entra ID. For more information, see: [Manage users or devices for an administrative unit with rules for dynamic membership groups](../identity/role-based-access-control/admin-units-members-dynamic.md). - ---- - ### Public Preview - Microsoft Entra Health Monitoring, Alerts Feature **Type:** Changed feature From f872957839b6c57005c812f7bcd48c1ce0bd716e Mon Sep 17 00:00:00 2001 From: TheWriteDoc <187326664+TheWriteDoc@users.noreply.github.com> Date: Mon, 2 Dec 2024 10:18:59 -0800 Subject: [PATCH 09/19] november 2024 refresh set 12 --- docs/identity/authentication/howto-password-smart-lockout.md | 2 +- .../howto-registration-mfa-sspr-combined-troubleshoot.md | 2 +- docs/identity/authentication/howto-sspr-authenticationdata.md | 2 +- docs/identity/authentication/howto-sspr-windows.md | 2 +- .../identity/authentication/multi-factor-authentication-faq.yml | 2 +- .../multi-factor-authentication-get-started-adfs.md | 2 +- docs/identity/authentication/overview-authentication.md | 2 +- docs/identity/authentication/passwords-faq.yml | 2 +- .../tutorial-configure-custom-password-protection.md | 2 +- .../tutorial-enable-security-notifications-for-audit-logs.md | 2 +- 10 files changed, 10 insertions(+), 10 deletions(-) diff --git a/docs/identity/authentication/howto-password-smart-lockout.md b/docs/identity/authentication/howto-password-smart-lockout.md index b0629337b1c..53200410f5e 100644 --- a/docs/identity/authentication/howto-password-smart-lockout.md +++ b/docs/identity/authentication/howto-password-smart-lockout.md @@ -5,7 +5,7 @@ description: Learn how Microsoft Entra smart lockout helps protect your organiza ms.service: entra-id ms.subservice: authentication ms.topic: how-to -ms.date: 08/09/2023 +ms.date: 12/02/2024 ms.author: justinha author: justinha diff --git a/docs/identity/authentication/howto-registration-mfa-sspr-combined-troubleshoot.md b/docs/identity/authentication/howto-registration-mfa-sspr-combined-troubleshoot.md index 13971d14db9..ea8142fcea1 100644 --- a/docs/identity/authentication/howto-registration-mfa-sspr-combined-troubleshoot.md +++ b/docs/identity/authentication/howto-registration-mfa-sspr-combined-troubleshoot.md @@ -6,7 +6,7 @@ ms.service: entra-id ms.subservice: authentication ms.custom: has-azure-ad-ps-ref ms.topic: troubleshooting -ms.date: 01/29/2023 +ms.date: 12/02/2024 ms.author: justinha author: justinha diff --git a/docs/identity/authentication/howto-sspr-authenticationdata.md b/docs/identity/authentication/howto-sspr-authenticationdata.md index d1ea5343ca3..7a143172e09 100644 --- a/docs/identity/authentication/howto-sspr-authenticationdata.md +++ b/docs/identity/authentication/howto-sspr-authenticationdata.md @@ -5,7 +5,7 @@ description: Learn how to prepopulate contact information for users of Microsoft ms.service: entra-id ms.subservice: authentication ms.topic: how-to -ms.date: 09/21/2023 +ms.date: 12/02/2024 ms.author: justinha author: justinha diff --git a/docs/identity/authentication/howto-sspr-windows.md b/docs/identity/authentication/howto-sspr-windows.md index e0364a15544..9a073f90f87 100644 --- a/docs/identity/authentication/howto-sspr-windows.md +++ b/docs/identity/authentication/howto-sspr-windows.md @@ -5,7 +5,7 @@ description: Learn how to enable Microsoft Entra self-service password reset at ms.service: entra-id ms.subservice: authentication ms.topic: how-to -ms.date: 09/14/2023 +ms.date: 12/02/2024 ms.author: justinha author: justinha diff --git a/docs/identity/authentication/multi-factor-authentication-faq.yml b/docs/identity/authentication/multi-factor-authentication-faq.yml index 1ff30e36d82..1c1b0a00e60 100644 --- a/docs/identity/authentication/multi-factor-authentication-faq.yml +++ b/docs/identity/authentication/multi-factor-authentication-faq.yml @@ -5,7 +5,7 @@ metadata: ms.service: entra-id ms.subservice: authentication ms.topic: faq - ms.date: 09/13/2023 + ms.date: 12/02/2024 ms.author: justinha author: justinha manager: amycolannino diff --git a/docs/identity/authentication/multi-factor-authentication-get-started-adfs.md b/docs/identity/authentication/multi-factor-authentication-get-started-adfs.md index 04260e1e38a..2c920e120c5 100644 --- a/docs/identity/authentication/multi-factor-authentication-get-started-adfs.md +++ b/docs/identity/authentication/multi-factor-authentication-get-started-adfs.md @@ -6,7 +6,7 @@ description: This is the Microsoft Entra multifactor authentication page that de ms.service: entra-id ms.subservice: authentication ms.topic: conceptual -ms.date: 01/29/2023 +ms.date: 12/02/2024 ms.author: justinha author: justinha diff --git a/docs/identity/authentication/overview-authentication.md b/docs/identity/authentication/overview-authentication.md index f4ce568afab..5173c62befc 100644 --- a/docs/identity/authentication/overview-authentication.md +++ b/docs/identity/authentication/overview-authentication.md @@ -5,7 +5,7 @@ description: Learn about the different authentication methods and security featu ms.service: entra-id ms.subservice: authentication ms.topic: overview -ms.date: 01/29/2023 +ms.date: 12/02/2024 ms.author: justinha author: justinha diff --git a/docs/identity/authentication/passwords-faq.yml b/docs/identity/authentication/passwords-faq.yml index 7c22962b3b9..fc1db7de707 100644 --- a/docs/identity/authentication/passwords-faq.yml +++ b/docs/identity/authentication/passwords-faq.yml @@ -5,7 +5,7 @@ metadata: ms.service: entra-id ms.subservice: authentication ms.topic: faq - ms.date: 08/13/2021 + ms.date: 12/02/2024 ms.author: justinha author: justinha manager: amycolannino diff --git a/docs/identity/authentication/tutorial-configure-custom-password-protection.md b/docs/identity/authentication/tutorial-configure-custom-password-protection.md index e70f7a9da38..3f100998b63 100644 --- a/docs/identity/authentication/tutorial-configure-custom-password-protection.md +++ b/docs/identity/authentication/tutorial-configure-custom-password-protection.md @@ -5,7 +5,7 @@ description: In this tutorial, you learn how to configure custom banned password ms.service: entra-id ms.subservice: authentication ms.topic: tutorial -ms.date: 09/14/2023 +ms.date: 12/02/2024 ms.author: justinha author: justinha diff --git a/docs/identity/authentication/tutorial-enable-security-notifications-for-audit-logs.md b/docs/identity/authentication/tutorial-enable-security-notifications-for-audit-logs.md index ef47a6623b8..560a8e2efef 100644 --- a/docs/identity/authentication/tutorial-enable-security-notifications-for-audit-logs.md +++ b/docs/identity/authentication/tutorial-enable-security-notifications-for-audit-logs.md @@ -5,7 +5,7 @@ description: Create an Azure Logic App that monitors Microsoft Entra audit logs ms.service: entra-id ms.subservice: authentication ms.topic: tutorial -ms.date: 12/06/2023 +ms.date: 12/02/2024 author: camilasinelli ms.author: justinha From 7d90903f56536680aa7738901c686b2a3ff558a3 Mon Sep 17 00:00:00 2001 From: TheWriteDoc <187326664+TheWriteDoc@users.noreply.github.com> Date: Mon, 2 Dec 2024 10:32:50 -0800 Subject: [PATCH 10/19] fix Acro scores --- .../multi-factor-authentication-faq.yml | 52 +++++++++---------- ...-factor-authentication-get-started-adfs.md | 10 ++-- 2 files changed, 31 insertions(+), 31 deletions(-) diff --git a/docs/identity/authentication/multi-factor-authentication-faq.yml b/docs/identity/authentication/multi-factor-authentication-faq.yml index 1c1b0a00e60..6df27b81f42 100644 --- a/docs/identity/authentication/multi-factor-authentication-faq.yml +++ b/docs/identity/authentication/multi-factor-authentication-faq.yml @@ -15,31 +15,31 @@ summary: | This FAQ answers common questions about Microsoft Entra multifactor authentication and using the multifactor authentication service. It's broken down into questions about the service in general, billing models, user experiences, and troubleshooting. > [!IMPORTANT] - > In September 2022, Microsoft announced deprecation of Multi-Factor Authentication Server. Beginning September 30, 2024, Multi-Factor Authentication Server deployments will no longer service multifactor authentication requests, which could cause authentications to fail for your organization. To ensure uninterrupted authentication services and to remain in a supported state, organizations should [migrate their users' authentication data](how-to-migrate-mfa-server-to-mfa-user-authentication.md) to the cloud-based Microsoft Entra multifactor authentication service by using the latest Migration Utility included in the most recent [MFA Server update](https://www.microsoft.com/download/details.aspx?id=55849). For more information, see [MFA Server Migration](./how-to-migrate-mfa-server-to-mfa-user-authentication.md). + > In September 2022, Microsoft announced deprecation of Multifactor Authentication Server. Beginning September 30, 2024, Multifactor Authentication Server deployments will no longer service multifactor authentication requests, which could cause authentications to fail for your organization. To ensure uninterrupted authentication services and to remain in a supported state, organizations should [migrate their users' authentication data](how-to-migrate-mfa-server-to-mfa-user-authentication.md) to the cloud-based Microsoft Entra multifactor authentication service by using the latest Migration Utility included in the most recent [MFA Server update](https://www.microsoft.com/download/details.aspx?id=55849). For more information, see [MFA Server Migration](./how-to-migrate-mfa-server-to-mfa-user-authentication.md). sections: - name: General questions: - question: | - How does Azure Multi-Factor Authentication Server handle user data? + How does Azure Multifactor Authentication Server handle user data? answer: | - With Multi-Factor Authentication Server, user data is only stored on the on-premises servers. No persistent user data is stored in the cloud. When the user performs two-step verification, Multi-Factor Authentication Server sends data to the Microsoft Entra multifactor authentication cloud service for authentication. Communication between Multi-Factor Authentication Server and the multifactor authentication cloud service uses Secure Sockets Layer (SSL) or Transport Layer Security (TLS) over port 443 outbound. + With Multifactor Authentication Server, user data is only stored on the on-premises servers. No persistent user data is stored in the cloud. When the user performs two-step verification, Multifactor Authentication Server sends data to the Microsoft Entra multifactor authentication cloud service for authentication. Communication between Multifactor Authentication Server and the multifactor authentication cloud service uses Secure Sockets Layer (SSL) or Transport Layer Security (TLS) over port 443 outbound. When authentication requests are sent to the cloud service, data is collected for authentication and usage reports. The following data fields are included in two-step verification logs: - * **Unique ID** (either user name or on-premises Multi-Factor Authentication Server ID) + * **Unique ID** (either user name or on-premises Multifactor Authentication Server ID) * **First and Last Name** (optional) * **Email Address** (optional) * **Phone Number** (when using a voice call or text message authentication) * **Device Token** (when using mobile app authentication) * **Authentication Mode** * **Authentication Result** - * **Multi-Factor Authentication Server Name** - * **Multi-Factor Authentication Server IP** + * **Multifactor Authentication Server Name** + * **Multifactor Authentication Server IP** * **Client IP** (if available) - The optional fields can be configured in Multi-Factor Authentication Server. + The optional fields can be configured in Multifactor Authentication Server. The verification result (success or denial), and the reason if it was denied, is stored with the authentication data. This data is available in authentication and usage reports. @@ -67,9 +67,9 @@ sections: - question: | Does Microsoft Entra multifactor authentication throttle user sign-ins? answer: | - Yes, in certain cases that typically involve repeated authentication requests in a short time window, Microsoft Entra multifactor authentication will throttle user sign-in attempts to protect telecommunication networks, mitigate MFA fatigue-style attacks and protect its own systems for the benefit of all customers. + Yes, in certain cases that typically involve repeated authentication requests in a short time window, Microsoft Entra multifactor authentication throttles user sign-in attempts to protect telecommunication networks, mitigate MFA fatigue-style attacks and protect its own systems for the benefit of all customers. - Although we don't share specific throttling limits, they are based around reasonable usage. + Although we don't share specific throttling limits, they're based around reasonable usage. - question: | Is my organization charged for sending the phone calls and text messages that are used for authentication? @@ -104,7 +104,7 @@ sections: answer: | If your organization purchases MFA as a standalone service with consumption-based billing, you choose a billing model when you create an MFA provider. You can't change the billing model after an MFA provider is created. - If your MFA provider is *not* linked to a Microsoft Entra tenant, or you link the new MFA provider to a different Microsoft Entra tenant, user settings, and configuration options aren't transferred. Also, existing MFA Servers need to be reactivated using activation credentials generated through the new MFA Provider. Reactivating the MFA Servers to link them to the new MFA Provider doesn't impact phone call and text message authentication, but mobile app notifications will stop working for all users until they reactivate the mobile app. + If your MFA provider is *not* linked to a Microsoft Entra tenant, or you link the new MFA provider to a different Microsoft Entra tenant, user settings, and configuration options aren't transferred. Also, existing MFA Servers need to be reactivated using activation credentials generated through the new MFA Provider. Reactivating the MFA Servers to link them to the new MFA Provider doesn't impact phone call and text message authentication, but mobile app notifications stop working for all users until they reactivate the mobile app. Learn more about MFA providers in [Getting started with an Azure multifactor authentication provider](concept-mfa-authprovider.md). @@ -120,7 +120,7 @@ sections: - question: | Does my organization have to use and synchronize identities to use Microsoft Entra multifactor authentication? answer: | - If your organization uses a consumption-based billing model, Microsoft Entra ID is optional, but not required. If your MFA provider isn't linked to a Microsoft Entra tenant, you can only deploy Azure Multi-Factor Authentication Server on-premises. + If your organization uses a consumption-based billing model, Microsoft Entra ID is optional, but not required. If your MFA provider isn't linked to a Microsoft Entra tenant, you can only deploy Azure Multifactor Authentication Server on-premises. Microsoft Entra ID is required for the license model because licenses are added to the Microsoft Entra tenant when you purchase and assign them to users in the directory. @@ -133,7 +133,7 @@ sections: Third-party security apps may also block the verification code text message or phone call. If using a third-party security app, try disabling the protection, then request another MFA verification code be sent. - If the steps above don't work, check if users are configured for more than one verification method. Try signing in again, but select a different verification method on the sign-in page. + If the prior steps don't work, check if users are configured for more than one verification method. Try signing in again, but select a different verification method on the sign-in page. For more information, see the [end-user troubleshooting guide](https://support.microsoft.com/account-billing/common-problems-with-two-step-verification-for-a-work-or-school-account-63acbb9b-16a1-47b9-8619-6a865e8071a5). @@ -148,7 +148,7 @@ sections: To prevent unauthorized access, delete all the user's app passwords. After the user has a replacement device, they can recreate the passwords. Learn more about [managing user and device settings with Microsoft Entra multifactor authentication in the cloud](howto-mfa-userdevicesettings.yml). - question: | - What if a user can't sign in to non-browser apps? + What if a user can't sign in to nonbrowser apps? answer: | If your organization still uses legacy clients, and you [allowed the use of app passwords](howto-mfa-app-passwords.md), then your users can't sign in to these legacy clients with their username and password. Instead, they need to [set up app passwords](https://support.microsoft.com/account-billing/manage-app-passwords-for-two-step-verification-d6dc8c6d-4bf7-4851-ad95-6d07799387e9). Your users must clear (delete) their sign-in information, restart the app, and then sign in with their username and *app password* instead of their regular password. @@ -187,11 +187,11 @@ sections: For one-way SMS with Microsoft Entra multifactor authentication in the cloud (including the AD FS adapter or the Network Policy Server extension), you can't configure the timeout setting. Microsoft Entra ID stores the verification code for 180 seconds. - question: | - Can I use hardware tokens with Multi-Factor Authentication Server? + Can I use hardware tokens with Multifactor Authentication Server? answer: | - If you're using Multi-Factor Authentication Server, you can import third-party Open Authentication (OATH) time-based, one-time password (TOTP) tokens, and then use them for two-step verification. + If you're using Multifactor Authentication Server, you can import third-party Open Authentication (OATH) time-based, one-time password (TOTP) tokens, and then use them for two-step verification. - You can use ActiveIdentity tokens that are OATH TOTP tokens if you put the secret key in a CSV file and import to Multi-Factor Authentication Server. You can use OATH tokens with Active Directory Federation Services (ADFS), Internet Information Server (IIS) forms-based authentication, and Remote Authentication Dial-In User Service (RADIUS) as long as the client system can accept the user input. + You can use ActiveIdentity tokens that are OATH TOTP tokens if you put the secret key in a CSV file and import to Multifactor Authentication Server. You can use OATH tokens with Active Directory Federation Services (ADFS), Internet Information Server (IIS) forms-based authentication, and Remote Authentication Dial-In User Service (RADIUS) as long as the client system can accept the user input. You can import third-party OATH TOTP tokens with the following formats: @@ -199,16 +199,16 @@ sections: - CSV if the file contains a serial number, a secret key in Base 32 format, and a time interval - question: | - Can I use Multi-Factor Authentication Server to secure Terminal Services? + Can I use Multifactor Authentication Server to secure Terminal Services? answer: | Yes, but if you're using Windows Server 2012 R2 or later, you can only secure Terminal Services by using Remote Desktop Gateway (RD Gateway). - Security changes in Windows Server 2012 R2 changed how Multi-Factor Authentication Server connects to the Local Security Authority (LSA) security package in Windows Server 2012 and earlier versions. For versions of Terminal Services in Windows Server 2012 or earlier, you can [secure an application with Windows Authentication](howto-mfaserver-windows.md#to-secure-an-application-with-windows-authentication-use-the-following-procedure). If you're using Windows Server 2012 R2, you need RD Gateway. + Security changes in Windows Server 2012 R2 changed how Multifactor Authentication Server connects to the Local Security Authority (LSA) security package in Windows Server 2012 and earlier versions. For versions of Terminal Services in Windows Server 2012 or earlier, you can [secure an application with Windows Authentication](howto-mfaserver-windows.md#to-secure-an-application-with-windows-authentication-use-the-following-procedure). If you're using Windows Server 2012 R2, you need RD Gateway. - question: | I configured Caller ID in MFA Server, but my users still receive multifactor authentication calls from an anonymous caller. answer: | - When multifactor authentication calls are placed through the public telephone network, sometimes they are routed through a carrier that doesn't support caller ID. Because of this carrier behavior, caller ID isn't guaranteed, even though the multifactor authentication system always sends it. + When multifactor authentication calls are placed through the public telephone network, sometimes they're routed through a carrier that doesn't support caller ID. Because of this carrier behavior, caller ID isn't guaranteed, even though the multifactor authentication system always sends it. - question: | Why are my users being prompted to register their security information? @@ -226,28 +226,28 @@ sections: - name: Errors questions: - question: | - What should users do if they see an "Authentication request is not for an activated account" error message when using mobile app notifications? + What should users do if they see an "Authentication request isn't for an activated account" error message when using mobile app notifications? answer: | Ask the user to complete the following procedure to remove their account from the Microsoft Authenticator, then add it again: 1. Go to [their account profile](https://account.activedirectory.windowsazure.com/profile/) and sign in with an organizational account. 2. Select **Additional Security Verification**. 3. Remove the existing account from the Microsoft Authenticator app. - 4. Click **Configure**, and then follow the instructions to reconfigure the Microsoft Authenticator. + 4. Select **Configure**, and then follow the instructions to reconfigure the Microsoft Authenticator. - question: | - What should users do if they see a 0x800434D4L error message when signing in to a non-browser application? + What should users do if they see a 0x800434D4L error message when signing in to a nonbrowser application? answer: | - The *0x800434D4L* error occurs when you try to sign in to a non-browser application, installed on a local computer, that doesn't work with accounts that require two-step verification. + The *0x800434D4L* error occurs when you try to sign in to a nonbrowser application, installed on a local computer, that doesn't work with accounts that require two-step verification. - A workaround for this error is to have separate user accounts for admin-related and non-admin operations. Later, you can link mailboxes between your admin account and non-admin account so that you can sign in to Outlook by using your non-admin account. For more details about this solution, learn how to [give an administrator the ability to open and view the contents of a user's mailbox](https://help.outlook.com/141/gg709759.aspx?sl=1). + A workaround for this error is to have separate user accounts for admin-related and nonadmin operations. Later, you can link mailboxes between your admin account and nonadmin account so that you can sign in to Outlook by using your nonadmin account. For more details about this solution, learn how to [give an administrator the ability to open and view the contents of a user's mailbox](https://help.outlook.com/141/gg709759.aspx?sl=1). - question: | What are the possible reasons why a user fails, with the error code "LsaLogonUser failed with NTSTATUS -1073741715 for MFA Server"? answer: | Error 1073741715 = Status Logon Failure -> The attempted logon is invalid. This is due to either a bad username or authentication. - A plausible reason for this error: If the primary credentials entered are correct, there might be a mismatch between the supported NTLM version on the MFA server and the domain controller. MFA Server supports only NTLMv1 (LmCompatabilityLevel=1 thru 4) and not NTLMv2 (LmCompatabilityLevel=5). + A plausible reason for this error: If the primary credentials entered are correct, there might be a mismatch between the supported NTLM version on the MFA server and the domain controller. MFA Server supports only NTLMv1 (LmCompatabilityLevel=1 through 4) and not NTLMv2 (LmCompatabilityLevel=5). additionalContent: | ## Next steps @@ -255,4 +255,4 @@ additionalContent: | * Search the [Microsoft Support Knowledge Base](https://support.microsoft.com) for solutions to common technical issues. * Search for and browse technical questions and answers from the community, or ask your own question in the [Microsoft Entra Q&A](/answers/topics/azure-active-directory.html). - * Contact Microsoft professional through [Multi-Factor Authentication Server support](https://support.microsoft.com/oas/default.aspx?prid=14947). When contacting us, it's helpful if you can include as much information about your issue as possible. Information you can supply includes the page where you saw the error, the specific error code, the specific session ID, and the ID of the user who saw the error. + * Contact Microsoft professional through [Multifactor Authentication Server support](https://support.microsoft.com/oas/default.aspx?prid=14947). When contacting us, it's helpful if you can include as much information about your issue as possible. Information you can supply includes the page where you saw the error, the specific error code, the specific session ID, and the ID of the user who saw the error. diff --git a/docs/identity/authentication/multi-factor-authentication-get-started-adfs.md b/docs/identity/authentication/multi-factor-authentication-get-started-adfs.md index 2c920e120c5..c718d62b98c 100644 --- a/docs/identity/authentication/multi-factor-authentication-get-started-adfs.md +++ b/docs/identity/authentication/multi-factor-authentication-get-started-adfs.md @@ -22,7 +22,7 @@ ms.reviewer: michmcla If your organization has federated your on-premises Active Directory with Microsoft Entra ID using AD FS, there are two options for using Microsoft Entra multifactor authentication. * Secure cloud resources using Microsoft Entra multifactor authentication or Active Directory Federation Services -* Secure cloud and on-premises resources using Azure Multi-Factor Authentication Server +* Secure cloud and on-premises resources using Azure Multifactor Authentication Server The following table summarizes the verification experience between securing resources with Microsoft Entra multifactor authentication and AD FS @@ -34,12 +34,12 @@ The following table summarizes the verification experience between securing reso Caveats with app passwords for federated users: * App passwords are verified using cloud authentication, so they bypass federation. Federation is only actively used when setting up an app password. -* On-premises Client Access Control settings are not honored by app passwords. +* On-premises Client Access Control settings aren't honored by app passwords. * You lose on-premises authentication-logging capability for app passwords. * Account disable/deletion may take up to three hours for directory sync, delaying disable/deletion of app passwords in the cloud identity. -For information on setting up either Microsoft Entra multifactor authentication or the Azure Multi-Factor Authentication Server with AD FS, see the following articles: +For information on setting up either Microsoft Entra multifactor authentication or the Azure Multifactor Authentication Server with AD FS, see the following articles: * [Secure cloud resources using Microsoft Entra multifactor authentication and AD FS](howto-mfa-adfs.md) -* [Secure cloud and on-premises resources using Azure Multi-Factor Authentication Server with Windows Server](howto-mfaserver-adfs-windows-server.md) -* [Secure cloud and on-premises resources using Azure Multi-Factor Authentication Server with AD FS 2.0](howto-mfaserver-adfs-2.md) +* [Secure cloud and on-premises resources using Azure Multifactor Authentication Server with Windows Server](howto-mfaserver-adfs-windows-server.md) +* [Secure cloud and on-premises resources using Azure Multifactor Authentication Server with AD FS 2.0](howto-mfaserver-adfs-2.md) From 9335f5a2189168867ebcd52db9bc325e1de502f7 Mon Sep 17 00:00:00 2001 From: Dennis Rea <61802807+denrea@users.noreply.github.com> Date: Mon, 2 Dec 2024 10:51:11 -0800 Subject: [PATCH 11/19] Acrolinx fixes --- .../tutorial-configure-custom-password-protection.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/identity/authentication/tutorial-configure-custom-password-protection.md b/docs/identity/authentication/tutorial-configure-custom-password-protection.md index 3f100998b63..f5fd55edeae 100644 --- a/docs/identity/authentication/tutorial-configure-custom-password-protection.md +++ b/docs/identity/authentication/tutorial-configure-custom-password-protection.md @@ -15,7 +15,7 @@ ms.reviewer: rogoya --- # Tutorial: Configure custom banned passwords for Microsoft Entra password protection -Users often create passwords that use common local words such as a school, sports team, or famous person. These passwords are easy to guess, and weak against dictionary-based attacks. To enforce strong passwords in your organization, the Microsoft Entra custom banned password list let you add specific strings to evaluate and block. A password change request fails if there's a match in the custom banned password list. +Users often create passwords that use common local words such as a school, sports team, or famous person. These passwords are easy to guess, and weak against dictionary-based attacks. To enforce strong passwords in your organization, the Microsoft Entra custom banned password list lets you add specific strings to evaluate and block. A password change request fails if there's a match in the custom banned password list. In this tutorial you learn how to: @@ -82,7 +82,7 @@ To enable the custom banned password list and add entries to it, complete the fo It may take several hours for updates to the custom banned password list to be applied. -For a hybrid environment, you can also [deploy Microsoft Entra password protection to an on-premises environment](howto-password-ban-bad-on-premises-deploy.md). The same global and custom banned password lists are used for both cloud and on-prem password change requests. +For a hybrid environment, you can also [deploy Microsoft Entra password protection to an on-premises environment](howto-password-ban-bad-on-premises-deploy.md). The same global and custom banned password lists are used for both cloud and on-premises password change requests. ## Test custom banned password list From 26b192a6aacf13670bb05ebee0726482c97e0152 Mon Sep 17 00:00:00 2001 From: TheWriteDoc <187326664+TheWriteDoc@users.noreply.github.com> Date: Mon, 2 Dec 2024 11:03:56 -0800 Subject: [PATCH 12/19] november 2024 refresh set 13 --- docs/identity/domain-services/alert-ldaps.md | 2 +- docs/identity/domain-services/alert-nsg.md | 2 +- docs/identity/domain-services/alert-service-principal.md | 2 +- docs/identity/domain-services/change-sku.md | 2 +- docs/identity/domain-services/check-health.md | 2 +- docs/identity/domain-services/concepts-custom-attributes.md | 2 +- docs/identity/domain-services/concepts-forest-trust.md | 2 +- docs/identity/domain-services/create-gmsa.md | 2 +- docs/identity/domain-services/create-ou.md | 2 +- docs/identity/domain-services/deploy-kcd.md | 2 +- docs/identity/domain-services/deploy-sp-profile-sync.md | 2 +- docs/identity/domain-services/feature-availability.md | 2 +- docs/identity/domain-services/fleet-metrics.md | 2 +- docs/identity/domain-services/how-to-data-retrieval.md | 2 +- docs/identity/domain-services/join-coreos-linux-vm.md | 2 +- docs/identity/domain-services/join-rhel-linux-vm.md | 2 +- docs/identity/domain-services/join-suse-linux-vm.md | 2 +- docs/identity/domain-services/join-ubuntu-linux-vm.md | 2 +- docs/identity/domain-services/join-windows-vm-template.md | 2 +- docs/identity/domain-services/manage-dns.md | 2 +- 20 files changed, 20 insertions(+), 20 deletions(-) diff --git a/docs/identity/domain-services/alert-ldaps.md b/docs/identity/domain-services/alert-ldaps.md index a3be33febf4..e6cb4e8a9b9 100644 --- a/docs/identity/domain-services/alert-ldaps.md +++ b/docs/identity/domain-services/alert-ldaps.md @@ -8,7 +8,7 @@ ms.assetid: 81208c0b-8d41-4f65-be15-42119b1b5957 ms.service: entra-id ms.subservice: domain-services ms.topic: troubleshooting -ms.date: 09/15/2023 +ms.date: 12/02/2024 ms.author: justinha --- # Known issues: Secure LDAP alerts in Microsoft Entra Domain Services diff --git a/docs/identity/domain-services/alert-nsg.md b/docs/identity/domain-services/alert-nsg.md index 1f47c1a8fca..36ade04f35e 100644 --- a/docs/identity/domain-services/alert-nsg.md +++ b/docs/identity/domain-services/alert-nsg.md @@ -8,7 +8,7 @@ ms.assetid: 95f970a7-5867-4108-a87e-471fa0910b8c ms.service: entra-id ms.subservice: domain-services ms.topic: troubleshooting -ms.date: 09/15/2023 +ms.date: 12/02/2024 ms.author: justinha --- # Known issues: Network configuration alerts in Microsoft Entra Domain Services diff --git a/docs/identity/domain-services/alert-service-principal.md b/docs/identity/domain-services/alert-service-principal.md index 614f2ae5d23..c7e86f08e4a 100644 --- a/docs/identity/domain-services/alert-service-principal.md +++ b/docs/identity/domain-services/alert-service-principal.md @@ -9,7 +9,7 @@ ms.service: entra-id ms.subservice: domain-services ms.custom: has-azure-ad-ps-ref, azure-ad-ref-level-one-done ms.topic: troubleshooting -ms.date: 09/15/2023 +ms.date: 12/02/2024 ms.author: justinha --- # Known issues: Service principal alerts in Microsoft Entra Domain Services diff --git a/docs/identity/domain-services/change-sku.md b/docs/identity/domain-services/change-sku.md index 044bab6e776..12fa3b5df07 100644 --- a/docs/identity/domain-services/change-sku.md +++ b/docs/identity/domain-services/change-sku.md @@ -7,7 +7,7 @@ manager: amycolannino ms.service: entra-id ms.subservice: domain-services ms.topic: how-to -ms.date: 09/15/2023 +ms.date: 12/02/2024 ms.author: justinha #Customer intent: As an identity administrator, I want to change the SKU for my Microsoft Entra Domain Services managed domain to use different features as my business requirements change. --- diff --git a/docs/identity/domain-services/check-health.md b/docs/identity/domain-services/check-health.md index 82dfd49346e..ea4a626df2b 100644 --- a/docs/identity/domain-services/check-health.md +++ b/docs/identity/domain-services/check-health.md @@ -8,7 +8,7 @@ ms.assetid: 8999eec3-f9da-40b3-997a-7a2587911e96 ms.service: entra-id ms.subservice: domain-services ms.topic: how-to -ms.date: 10/07/2023 +ms.date: 12/02/2024 ms.author: justinha --- # Check the health of a Microsoft Entra Domain Services managed domain diff --git a/docs/identity/domain-services/concepts-custom-attributes.md b/docs/identity/domain-services/concepts-custom-attributes.md index d44bda5ea69..913611bc684 100644 --- a/docs/identity/domain-services/concepts-custom-attributes.md +++ b/docs/identity/domain-services/concepts-custom-attributes.md @@ -8,7 +8,7 @@ ms.assetid: 1a14637e-b3d0-4fd9-ba7a-576b8df62ff2 ms.service: entra-id ms.subservice: domain-services ms.topic: how-to -ms.date: 09/21/2023 +ms.date: 12/02/2024 ms.author: justinha --- # Custom attributes for Microsoft Entra Domain Services diff --git a/docs/identity/domain-services/concepts-forest-trust.md b/docs/identity/domain-services/concepts-forest-trust.md index 085ae9a928b..1d3c372a45e 100644 --- a/docs/identity/domain-services/concepts-forest-trust.md +++ b/docs/identity/domain-services/concepts-forest-trust.md @@ -7,7 +7,7 @@ manager: amycolannino ms.service: entra-id ms.subservice: domain-services ms.topic: conceptual -ms.date: 11/27/2023 +ms.date: 12/02/2024 ms.author: justinha --- diff --git a/docs/identity/domain-services/create-gmsa.md b/docs/identity/domain-services/create-gmsa.md index 3287cf945a2..98dd52b0fcb 100644 --- a/docs/identity/domain-services/create-gmsa.md +++ b/docs/identity/domain-services/create-gmsa.md @@ -8,7 +8,7 @@ ms.assetid: e6faeddd-ef9e-4e23-84d6-c9b3f7d16567 ms.service: entra-id ms.subservice: domain-services ms.topic: how-to -ms.date: 09/23/2023 +ms.date: 12/02/2024 ms.author: justinha --- # Create a group managed service account (gMSA) in Microsoft Entra Domain Services diff --git a/docs/identity/domain-services/create-ou.md b/docs/identity/domain-services/create-ou.md index e383807887e..c268db61bdc 100644 --- a/docs/identity/domain-services/create-ou.md +++ b/docs/identity/domain-services/create-ou.md @@ -8,7 +8,7 @@ ms.assetid: 52602ad8-2b93-4082-8487-427bdcfa8126 ms.service: entra-id ms.subservice: domain-services ms.topic: how-to -ms.date: 09/15/2023 +ms.date: 12/02/2024 ms.author: justinha --- # Create an Organizational Unit (OU) in a Microsoft Entra Domain Services managed domain diff --git a/docs/identity/domain-services/deploy-kcd.md b/docs/identity/domain-services/deploy-kcd.md index 78320e33873..63e700a5b74 100644 --- a/docs/identity/domain-services/deploy-kcd.md +++ b/docs/identity/domain-services/deploy-kcd.md @@ -8,7 +8,7 @@ ms.assetid: 938a5fbc-2dd1-4759-bcce-628a6e19ab9d ms.service: entra-id ms.subservice: domain-services ms.topic: how-to -ms.date: 09/23/2023 +ms.date: 12/02/2024 ms.author: justinha --- # Configure Kerberos constrained delegation (KCD) in Microsoft Entra Domain Services diff --git a/docs/identity/domain-services/deploy-sp-profile-sync.md b/docs/identity/domain-services/deploy-sp-profile-sync.md index 646e3a63e8b..3ad8b40f4ff 100644 --- a/docs/identity/domain-services/deploy-sp-profile-sync.md +++ b/docs/identity/domain-services/deploy-sp-profile-sync.md @@ -8,7 +8,7 @@ ms.assetid: 938a5fbc-2dd1-4759-bcce-628a6e19ab9d ms.service: entra-id ms.subservice: domain-services ms.topic: how-to -ms.date: 01/29/2023 +ms.date: 12/02/2024 ms.author: justinha --- # Configure Microsoft Entra Domain Services to support user profile synchronization for SharePoint Server diff --git a/docs/identity/domain-services/feature-availability.md b/docs/identity/domain-services/feature-availability.md index 006cb1cb68e..b19f8779459 100644 --- a/docs/identity/domain-services/feature-availability.md +++ b/docs/identity/domain-services/feature-availability.md @@ -5,7 +5,7 @@ description: Learn which Domain Services features are available in Azure Governm ms.service: entra-id ms.subservice: domain-services ms.topic: conceptual -ms.date: 01/29/2023 +ms.date: 12/02/2024 ms.author: justinha author: justinha diff --git a/docs/identity/domain-services/fleet-metrics.md b/docs/identity/domain-services/fleet-metrics.md index 3f82dd315ba..ca3bba7bb7b 100644 --- a/docs/identity/domain-services/fleet-metrics.md +++ b/docs/identity/domain-services/fleet-metrics.md @@ -8,7 +8,7 @@ ms.assetid: 8999eec3-f9da-40b3-997a-7a2587911e96 ms.service: entra-id ms.subservice: domain-services ms.topic: how-to -ms.date: 09/23/2023 +ms.date: 12/02/2024 ms.author: justinha --- # Check fleet metrics of Microsoft Entra Domain Services diff --git a/docs/identity/domain-services/how-to-data-retrieval.md b/docs/identity/domain-services/how-to-data-retrieval.md index efb76fc3f01..d84eff4f290 100644 --- a/docs/identity/domain-services/how-to-data-retrieval.md +++ b/docs/identity/domain-services/how-to-data-retrieval.md @@ -7,7 +7,7 @@ manager: amycolannino ms.service: entra-id ms.subservice: domain-services ms.topic: conceptual -ms.date: 09/14/2023 +ms.date: 12/02/2024 ms.author: justinha ms.reviewer: manthanm --- diff --git a/docs/identity/domain-services/join-coreos-linux-vm.md b/docs/identity/domain-services/join-coreos-linux-vm.md index 12a49532b13..3b8d4c318ab 100644 --- a/docs/identity/domain-services/join-coreos-linux-vm.md +++ b/docs/identity/domain-services/join-coreos-linux-vm.md @@ -10,7 +10,7 @@ ms.subservice: domain-services ms.custom: - linux-related-content ms.topic: how-to -ms.date: 09/23/2023 +ms.date: 12/02/2024 ms.author: justinha --- # Join a CoreOS virtual machine to a Microsoft Entra Domain Services managed domain diff --git a/docs/identity/domain-services/join-rhel-linux-vm.md b/docs/identity/domain-services/join-rhel-linux-vm.md index 4d90abe11bd..b31e47bf199 100644 --- a/docs/identity/domain-services/join-rhel-linux-vm.md +++ b/docs/identity/domain-services/join-rhel-linux-vm.md @@ -9,7 +9,7 @@ ms.service: entra-id ms.subservice: domain-services ms.custom: devx-track-linux, linux-related-content ms.topic: how-to -ms.date: 09/23/2023 +ms.date: 12/02/2024 ms.author: justinha --- # Join a Red Hat Enterprise Linux virtual machine to a Microsoft Entra Domain Services managed domain diff --git a/docs/identity/domain-services/join-suse-linux-vm.md b/docs/identity/domain-services/join-suse-linux-vm.md index bed71dcd844..eee03bb7eb2 100644 --- a/docs/identity/domain-services/join-suse-linux-vm.md +++ b/docs/identity/domain-services/join-suse-linux-vm.md @@ -8,7 +8,7 @@ ms.service: entra-id ms.subservice: domain-services ms.custom: devx-track-linux, linux-related-content ms.topic: how-to -ms.date: 09/23/2023 +ms.date: 12/02/2024 ms.author: justinha --- # Join a SUSE Linux Enterprise virtual machine to a Microsoft Entra Domain Services managed domain diff --git a/docs/identity/domain-services/join-ubuntu-linux-vm.md b/docs/identity/domain-services/join-ubuntu-linux-vm.md index 53e141bcdc6..f166576e81a 100644 --- a/docs/identity/domain-services/join-ubuntu-linux-vm.md +++ b/docs/identity/domain-services/join-ubuntu-linux-vm.md @@ -8,7 +8,7 @@ ms.assetid: 804438c4-51a1-497d-8ccc-5be775980203 ms.service: entra-id ms.subservice: domain-services ms.topic: how-to -ms.date: 09/23/2023 +ms.date: 12/02/2024 ms.author: justinha ms.custom: fasttrack-edit, devx-track-linux, linux-related-content --- diff --git a/docs/identity/domain-services/join-windows-vm-template.md b/docs/identity/domain-services/join-windows-vm-template.md index 20621169962..8d9ac771edc 100644 --- a/docs/identity/domain-services/join-windows-vm-template.md +++ b/docs/identity/domain-services/join-windows-vm-template.md @@ -9,7 +9,7 @@ ms.service: entra-id ms.subservice: domain-services ms.custom: devx-track-arm-template ms.topic: how-to -ms.date: 09/23/2023 +ms.date: 12/02/2024 ms.author: justinha --- diff --git a/docs/identity/domain-services/manage-dns.md b/docs/identity/domain-services/manage-dns.md index f47c3a4656f..9c10d806650 100644 --- a/docs/identity/domain-services/manage-dns.md +++ b/docs/identity/domain-services/manage-dns.md @@ -8,7 +8,7 @@ ms.assetid: 938a5fbc-2dd1-4759-bcce-628a6e19ab9d ms.service: entra-id ms.subservice: domain-services ms.topic: how-to -ms.date: 11/26/2023 +ms.date: 12/02/2024 ms.author: justinha --- # Administer DNS and create conditional forwarders in a Microsoft Entra Domain Services managed domain From fcdf7bfc211ca1667037412c19ef1196ee0b3045 Mon Sep 17 00:00:00 2001 From: Ortagus Winfrey <85191667+OWinfreyATL@users.noreply.github.com> Date: Mon, 2 Dec 2024 15:07:40 -0500 Subject: [PATCH 13/19] microsoft entra connect sync added --- docs/fundamentals/whats-new.md | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/docs/fundamentals/whats-new.md b/docs/fundamentals/whats-new.md index e10952900a6..7982d5dc8d2 100644 --- a/docs/fundamentals/whats-new.md +++ b/docs/fundamentals/whats-new.md @@ -29,6 +29,16 @@ For a more dynamic experience, you can now find this information in the Microsof ## November 2024 +### General Availability - Microsoft Entra Connect Sync Version 2.4.27.0 + +**Type:** Changed feature +**Service category:** Provisioning +**Product capability:** Identity Governance + +On November 14, 2025, we released Microsoft Entra Connect Sync Version 2.4.27.0 that uses the OLE DB version 18.7.4 that further hardens our service. Upgrade to this latest version of connect sync to improve your security. More details are available in the [release notes](../identity/hybrid/connect/reference-connect-version-history.md#24270). + +--- + ### Public Preview - Microsoft Entra new store for certificate-based authentication **Type:** New feature From 9c616528ac2d0973de17f2c4eb64b6f394723f4d Mon Sep 17 00:00:00 2001 From: Ortagus Winfrey <85191667+OWinfreyATL@users.noreply.github.com> Date: Mon, 2 Dec 2024 15:24:47 -0500 Subject: [PATCH 14/19] Add link to Microsoft Entra Health documentation in what's new section --- docs/fundamentals/whats-new.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/fundamentals/whats-new.md b/docs/fundamentals/whats-new.md index 7982d5dc8d2..f002280a89a 100644 --- a/docs/fundamentals/whats-new.md +++ b/docs/fundamentals/whats-new.md @@ -101,7 +101,7 @@ Intelligent alerts in Microsoft Entra health monitoring notify tenant admins, an **Service category:** Reporting **Product capability:** Monitoring & Reporting -Microsoft Entra health monitoring, available from the Health pane, includes a set of low-latency pre-computed health metrics that can be used to monitor the health of critical user scenarios in your tenant. The first set of health scenarios includes MFA, CA-compliant devices, CA-managed devices, and SAML authentications. This set of monitor scenarios will grow over time. These health metrics are now released as general availability data streams, in conjunction with the public preview of an intelligent alerting capability. +Microsoft Entra health monitoring, available from the Health pane, includes a set of low-latency pre-computed health metrics that can be used to monitor the health of critical user scenarios in your tenant. The first set of health scenarios includes MFA, CA-compliant devices, CA-managed devices, and SAML authentications. This set of monitor scenarios will grow over time. These health metrics are now released as general availability data streams, in conjunction with the public preview of an intelligent alerting capability. For more information, see: [What is Microsoft Entra Health?](../identity/monitoring-health/concept-microsoft-entra-health.md). --- From 2f33c1055f24f959ff8674befad793b860f06156 Mon Sep 17 00:00:00 2001 From: Ortagus Winfrey <85191667+OWinfreyATL@users.noreply.github.com> Date: Mon, 2 Dec 2024 15:40:43 -0500 Subject: [PATCH 15/19] May 2024 added to archive --- docs/fundamentals/whats-new-archive.md | 143 +++++++++++++++++++++++++ 1 file changed, 143 insertions(+) diff --git a/docs/fundamentals/whats-new-archive.md b/docs/fundamentals/whats-new-archive.md index d04557801aa..695f90e2758 100644 --- a/docs/fundamentals/whats-new-archive.md +++ b/docs/fundamentals/whats-new-archive.md @@ -21,6 +21,149 @@ For a more dynamic experience, you can now find the archive information in the M --- +## May 2024 + +### General Availability - Azure China 21Vianet now supports My sign-ins and MFA/SSPR Combined Registration + +**Type:** Changed feature +**Service category:** MFA +**Product capability:** Identity Security & Protection + +Beginning end of June 2024, all organizations utilizing Microsoft Azure China 21Vianet now has access to My Sign-ins activity reporting. They're required to use the combined security information registration end-user experience for MFA and SSPR. As a result of this enablement, users now see a unified SSPR and MFA registration experience when prompted to register for SSPR or MFA. For more information, see: [Combined security information registration for Microsoft Entra overview](../identity/authentication/concept-registration-mfa-sspr-combined.md). + +--- + +### General Availability - $select in `signIn` API + +**Type:** New feature +**Service category:** MS Graph +**Product capability:** Monitoring & Reporting + +The long-awaited `$select` property is now implemented into the `signIn` API. Utilize the `$select` to reduce the number of attributes that are returned for each log. This update should greatly help customers who deal with throttling issues, and allow every customer to run faster, more efficient queries. + +--- + +### General Availability - Multiple Passwordless Phone sign-ins for Android Devices + +**Type:** New feature +**Service category:** Authentications (Logins) +**Product capability:** User Authentication + +End users can now enable passwordless phone sign-in for multiple accounts in the Authenticator App on any supported Android device. Consultants, students, and others with multiple accounts in Microsoft Entra can add each account to Microsoft Authenticator and use passwordless phone sign-in for all of them from the same Android device. The Microsoft Entra accounts can be in the same tenant or different tenants. Guest accounts aren't supported for multiple account sign-ins from one device. For more information, see: [Enable passwordless sign-in with Microsoft Authenticator](../identity/authentication/howto-authentication-passwordless-phone.md). + +--- + +### Public Preview - Bicep templates support for Microsoft Graph + +**Type:** New feature +**Service category:** MS Graph +**Product capability:** Developer Experience + +The Microsoft Graph Bicep extension brings declarative infrastructure-as-code (IaC) capabilities to Microsoft Graph resources. It allows you to author, deploy, and manage core Microsoft Entra ID resources using Bicep template files, alongside Azure resources. + +- Existing Azure customers can now use familiar tools to deploy Azure resources and the Microsoft Entra resources they depend on, such as applications and service principals, IaC and DevOps practices. +- It also opens the door for existing Microsoft Entra customers to use Bicep templates and IaC practices to deploy and manage their tenant's Microsoft Entra resources. + +For more information, see: [Bicep templates for Microsoft Graph resources](/graph/templates/) + +--- + +### Public Preview - Platform Single Sign-on for macOS with Microsoft Entra ID + +**Type:** New feature +**Service category:** Authentications (Logins) +**Product capability:** User Authentication + +Today we’re announcing that Platform SSO for macOS is available in public preview with Microsoft Entra ID. Platform SSO is an enhancement to the Microsoft Enterprise SSO plug-in for Apple Devices that makes usage and management of Mac devices more seamless and secure than ever. At the start of public preview, Platform SSO works with Microsoft Intune. Other Mobile Device Management (MDM) providers are coming soon. Contact your MDM provider for more information on support and availability. For more information, see: [macOS Platform Single Sign-on overview (preview)](../identity/devices/macos-psso.md). + +--- + +### Public Preview - Workflow History Insights in Lifecycle Workflows + +**Type:** New feature +**Service category:** Lifecycle Workflows +**Product capability:** Identity Lifecycle Management + +Customers can now monitor workflow health, and get insights throughout all their workflows in Lifecycle Workflows including viewing workflow processing data across workflows, tasks, and workflow categories. For more information, see: [Workflow Insights (preview)](../id-governance/lifecycle-workflow-insights.md). + +--- + +### Public Preview - Configure Lifecycle Workflow Scope Using Custom Security Attributes + +**Type:** New feature +**Service category:** Lifecycle Workflows +**Product capability:** Identity Lifecycle Management + +Customers can now apply their confidential HR data stored in custom security attributes in addition to other attributes. This update enables customers to define the scope of their workflows in Lifecycle Workflows for automating joiner, mover, and leaver scenarios. For more information, see: [Use custom security attributes to scope a workflow](../id-governance/lifecycle-workflow-insights.md). + +--- + +### Public Preview - Enable, Disable, and Delete synchronized users accounts with Lifecycle Workflows + +**Type:** New feature +**Service category:** Lifecycle Workflows +**Product capability:** Identity Lifecycle Management + +Lifecycle Workflows can now enable, disable, and delete user accounts that are synchronized from Active Directory Domain Services (AD DS) to Microsoft Entra. This feature allows you to ensure that the offboarding processes of your employees are completed by deleting the user account after a retention period. + +For more information, see: [Managing synced on-premises users with Lifecycle Workflows](../id-governance/lifecycle-workflow-on-premises.md). + +--- + +### Public Preview - External authentication methods for multifactor authentication + +**Type:** New feature +**Service category:** MFA +**Product capability:** User Authentication + +External authentication methods enable you to use your preferred multifactor authentication (MFA) solution with Microsoft Entra ID. For more information, see: [Manage an external authentication method in Microsoft Entra ID (Preview)](../identity/authentication/how-to-authentication-external-method-manage.md). + +--- + +### General Availability - `LastSuccessfulSignIn` + +**Type:** Changed feature +**Service category:** MS Graph +**Product capability:** Monitoring & Reporting + +Due to popular demand and increased confidence in the stability of the properties, the update adds `LastSuccessfulSignIn` &` LastSuccessfulSigninDateTime` into V1. Feel free to take dependencies on these properties in your production environments now. For more information, see: [signInActivity resource type](/graph/api/resources/signinactivity). + +--- + +### General Availability - Changing default accepted token version for new applications + +**Type:** Plan for change +**Service category:** Other +**Product capability:** Developer Experience + +Beginning in August 2024, new Microsoft Entra applications created using any interface (including the Microsoft Entra admin center, Azure portal, Powershell/CLI, or the Microsoft Graph application API) has the default value of the `requestedAccessTokenVersion` property in the app registration set to 2. This capability is a change from the previous default of null` (meaning 1). This means that new resource applications receive v2 access tokens instead of v1 by default. This update improves the security of apps. For more information on differences between token versions, see: [Access tokens in the Microsoft identity platform](../identity-platform/access-tokens.md) and [Access token claims reference](../identity-platform/access-token-claims-reference.md). + +--- + +### General Availability - Windows Account extension is now Microsoft Single Sign On + +**Type:** Changed feature +**Service category:** Authentications (Logins) +**Product capability:** SSO + +The Windows Account extension is now the [Microsoft Single Sign On](https://chromewebstore.google.com/detail/microsoft-single-sign-on/ppnbnpeolgkicgegkbkbjmhlideopiji) extension in docs and Chrome store. The Windows Account extension is updated to represent the new macOS compatibility. This capability is now known as the Microsoft Single Sign On (SSO) extension for Chrome, offering single sign-on and device identity features with the Enterprise SSO plug-in for Apple devices. This update is only a name change for the extension, there are no software changes to the extension itself. + +--- + +### General Availability - New provisioning connectors in the Microsoft Entra Application Gallery - May 2024 + +**Type:** New feature +**Service category:** App Provisioning +**Product capability:** Third Party Integration + +Microsoft added the following new applications in our App gallery with Provisioning support. You can now automate creating, updating, and deleting of user accounts for these newly integrated apps: + +- [ClearView Trade](../identity/saas-apps/clearview-trade-provisioning-tutorial.md) + +For more information about how to better secure your organization by using automated user account provisioning, see: [What is app provisioning in Microsoft Entra ID?](../identity/app-provisioning/user-provisioning.md). + +--- + ## April 2024 ### Public Preview - FIDO2 authentication in Android web browsers From 0130eb3c462ad2f1bce4181d444d7b69e0eca0cd Mon Sep 17 00:00:00 2001 From: Ortagus Winfrey <85191667+OWinfreyATL@users.noreply.github.com> Date: Mon, 2 Dec 2024 15:55:55 -0500 Subject: [PATCH 16/19] Remove outdated May 2024 updates from the what's new documentation --- docs/fundamentals/whats-new.md | 142 --------------------------------- 1 file changed, 142 deletions(-) diff --git a/docs/fundamentals/whats-new.md b/docs/fundamentals/whats-new.md index f002280a89a..6705267c061 100644 --- a/docs/fundamentals/whats-new.md +++ b/docs/fundamentals/whats-new.md @@ -589,145 +589,3 @@ While the feature is in preview, no technical support is provided. Learn more ab --- -## May 2024 - -### General Availability - Azure China 21Vianet now supports My sign-ins and MFA/SSPR Combined Registration - -**Type:** Changed feature -**Service category:** MFA -**Product capability:** Identity Security & Protection - -Beginning end of June 2024, all organizations utilizing Microsoft Azure China 21Vianet now has access to My Sign-ins activity reporting. They're required to use the combined security information registration end-user experience for MFA and SSPR. As a result of this enablement, users now see a unified SSPR and MFA registration experience when prompted to register for SSPR or MFA. For more information, see: [Combined security information registration for Microsoft Entra overview](../identity/authentication/concept-registration-mfa-sspr-combined.md). - ---- - -### General Availability - $select in `signIn` API - -**Type:** New feature -**Service category:** MS Graph -**Product capability:** Monitoring & Reporting - -The long-awaited `$select` property is now implemented into the `signIn` API. Utilize the `$select` to reduce the number of attributes that are returned for each log. This update should greatly help customers who deal with throttling issues, and allow every customer to run faster, more efficient queries. - ---- - -### General Availability - Multiple Passwordless Phone sign-ins for Android Devices - -**Type:** New feature -**Service category:** Authentications (Logins) -**Product capability:** User Authentication - -End users can now enable passwordless phone sign-in for multiple accounts in the Authenticator App on any supported Android device. Consultants, students, and others with multiple accounts in Microsoft Entra can add each account to Microsoft Authenticator and use passwordless phone sign-in for all of them from the same Android device. The Microsoft Entra accounts can be in the same tenant or different tenants. Guest accounts aren't supported for multiple account sign-ins from one device. For more information, see: [Enable passwordless sign-in with Microsoft Authenticator](../identity/authentication/howto-authentication-passwordless-phone.md). - ---- - -### Public Preview - Bicep templates support for Microsoft Graph - -**Type:** New feature -**Service category:** MS Graph -**Product capability:** Developer Experience - -The Microsoft Graph Bicep extension brings declarative infrastructure-as-code (IaC) capabilities to Microsoft Graph resources. It allows you to author, deploy, and manage core Microsoft Entra ID resources using Bicep template files, alongside Azure resources. - -- Existing Azure customers can now use familiar tools to deploy Azure resources and the Microsoft Entra resources they depend on, such as applications and service principals, IaC and DevOps practices. -- It also opens the door for existing Microsoft Entra customers to use Bicep templates and IaC practices to deploy and manage their tenant's Microsoft Entra resources. - -For more information, see: [Bicep templates for Microsoft Graph resources](/graph/templates/) - ---- - -### Public Preview - Platform Single Sign-on for macOS with Microsoft Entra ID - -**Type:** New feature -**Service category:** Authentications (Logins) -**Product capability:** User Authentication - -Today we’re announcing that Platform SSO for macOS is available in public preview with Microsoft Entra ID. Platform SSO is an enhancement to the Microsoft Enterprise SSO plug-in for Apple Devices that makes usage and management of Mac devices more seamless and secure than ever. At the start of public preview, Platform SSO works with Microsoft Intune. Other Mobile Device Management (MDM) providers are coming soon. Contact your MDM provider for more information on support and availability. For more information, see: [macOS Platform Single Sign-on overview (preview)](../identity/devices/macos-psso.md). - ---- - -### Public Preview - Workflow History Insights in Lifecycle Workflows - -**Type:** New feature -**Service category:** Lifecycle Workflows -**Product capability:** Identity Lifecycle Management - -Customers can now monitor workflow health, and get insights throughout all their workflows in Lifecycle Workflows including viewing workflow processing data across workflows, tasks, and workflow categories. For more information, see: [Workflow Insights (preview)](../id-governance/lifecycle-workflow-insights.md). - ---- - -### Public Preview - Configure Lifecycle Workflow Scope Using Custom Security Attributes - -**Type:** New feature -**Service category:** Lifecycle Workflows -**Product capability:** Identity Lifecycle Management - -Customers can now apply their confidential HR data stored in custom security attributes in addition to other attributes. This update enables customers to define the scope of their workflows in Lifecycle Workflows for automating joiner, mover, and leaver scenarios. For more information, see: [Use custom security attributes to scope a workflow](../id-governance/lifecycle-workflow-insights.md). - ---- - -### Public Preview - Enable, Disable, and Delete synchronized users accounts with Lifecycle Workflows - -**Type:** New feature -**Service category:** Lifecycle Workflows -**Product capability:** Identity Lifecycle Management - -Lifecycle Workflows can now enable, disable, and delete user accounts that are synchronized from Active Directory Domain Services (AD DS) to Microsoft Entra. This feature allows you to ensure that the offboarding processes of your employees are completed by deleting the user account after a retention period. - -For more information, see: [Managing synced on-premises users with Lifecycle Workflows](../id-governance/lifecycle-workflow-on-premises.md). - ---- - -### Public Preview - External authentication methods for multifactor authentication - -**Type:** New feature -**Service category:** MFA -**Product capability:** User Authentication - -External authentication methods enable you to use your preferred multifactor authentication (MFA) solution with Microsoft Entra ID. For more information, see: [Manage an external authentication method in Microsoft Entra ID (Preview)](../identity/authentication/how-to-authentication-external-method-manage.md). - ---- - -### General Availability - `LastSuccessfulSignIn` - -**Type:** Changed feature -**Service category:** MS Graph -**Product capability:** Monitoring & Reporting - -Due to popular demand and increased confidence in the stability of the properties, the update adds `LastSuccessfulSignIn` &` LastSuccessfulSigninDateTime` into V1. Feel free to take dependencies on these properties in your production environments now. For more information, see: [signInActivity resource type](/graph/api/resources/signinactivity). - ---- - -### General Availability - Changing default accepted token version for new applications - -**Type:** Plan for change -**Service category:** Other -**Product capability:** Developer Experience - -Beginning in August 2024, new Microsoft Entra applications created using any interface (including the Microsoft Entra admin center, Azure portal, Powershell/CLI, or the Microsoft Graph application API) has the default value of the `requestedAccessTokenVersion` property in the app registration set to 2. This capability is a change from the previous default of null` (meaning 1). This means that new resource applications receive v2 access tokens instead of v1 by default. This update improves the security of apps. For more information on differences between token versions, see: [Access tokens in the Microsoft identity platform](../identity-platform/access-tokens.md) and [Access token claims reference](../identity-platform/access-token-claims-reference.md). - ---- - -### General Availability - Windows Account extension is now Microsoft Single Sign On - -**Type:** Changed feature -**Service category:** Authentications (Logins) -**Product capability:** SSO - -The Windows Account extension is now the [Microsoft Single Sign On](https://chromewebstore.google.com/detail/microsoft-single-sign-on/ppnbnpeolgkicgegkbkbjmhlideopiji) extension in docs and Chrome store. The Windows Account extension is updated to represent the new macOS compatibility. This capability is now known as the Microsoft Single Sign On (SSO) extension for Chrome, offering single sign-on and device identity features with the Enterprise SSO plug-in for Apple devices. This update is only a name change for the extension, there are no software changes to the extension itself. - ---- - -### General Availability - New provisioning connectors in the Microsoft Entra Application Gallery - May 2024 - -**Type:** New feature -**Service category:** App Provisioning -**Product capability:** Third Party Integration - -Microsoft added the following new applications in our App gallery with Provisioning support. You can now automate creating, updating, and deleting of user accounts for these newly integrated apps: - -- [ClearView Trade](../identity/saas-apps/clearview-trade-provisioning-tutorial.md) - -For more information about how to better secure your organization by using automated user account provisioning, see: [What is app provisioning in Microsoft Entra ID?](../identity/app-provisioning/user-provisioning.md). - ---- From fb7b2f4e76ea4b84fa0e4d7900d8772094eabed1 Mon Sep 17 00:00:00 2001 From: Ortagus Winfrey <85191667+OWinfreyATL@users.noreply.github.com> Date: Mon, 2 Dec 2024 16:00:17 -0500 Subject: [PATCH 17/19] updated doc type --- docs/fundamentals/whats-new.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/fundamentals/whats-new.md b/docs/fundamentals/whats-new.md index 6705267c061..0048f33bbde 100644 --- a/docs/fundamentals/whats-new.md +++ b/docs/fundamentals/whats-new.md @@ -8,7 +8,7 @@ featureFlags: ms.assetid: 06a149f7-4aa1-4fb9-a8ec-ac2633b031fb ms.service: entra ms.subservice: fundamentals -ms.topic: whats-new +ms.topic: reference ms.date: 09/19/2024 ms.author: owinfrey ms.reviewer: dhanyahk From cbb7b0471557f9bf58bc964bc30dcbafdee4a26e Mon Sep 17 00:00:00 2001 From: Ortagus Winfrey <85191667+OWinfreyATL@users.noreply.github.com> Date: Mon, 2 Dec 2024 16:01:23 -0500 Subject: [PATCH 18/19] date --- docs/fundamentals/whats-new.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/fundamentals/whats-new.md b/docs/fundamentals/whats-new.md index 0048f33bbde..2cbb8b56092 100644 --- a/docs/fundamentals/whats-new.md +++ b/docs/fundamentals/whats-new.md @@ -9,7 +9,7 @@ ms.assetid: 06a149f7-4aa1-4fb9-a8ec-ac2633b031fb ms.service: entra ms.subservice: fundamentals ms.topic: reference -ms.date: 09/19/2024 +ms.date: 12/02/2024 ms.author: owinfrey ms.reviewer: dhanyahk ms.custom: it-pro, has-azure-ad-ps-ref From 17fb1c61d6faaed103672b256df31d806aa2bfc1 Mon Sep 17 00:00:00 2001 From: Ryan Wike <> Date: Mon, 2 Dec 2024 14:22:23 -0800 Subject: [PATCH 19/19] refreshed article --- .../identity/managed-identities-azure-resources/overview.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/identity/managed-identities-azure-resources/overview.md b/docs/identity/managed-identities-azure-resources/overview.md index 4d53c20930d..d28c31c8178 100644 --- a/docs/identity/managed-identities-azure-resources/overview.md +++ b/docs/identity/managed-identities-azure-resources/overview.md @@ -7,7 +7,7 @@ ms.assetid: 0232041d-b8f5-4bd2-8d11-27999ad69370 ms.service: entra-id ms.subservice: managed-identities ms.topic: overview -ms.date: 01/23/2023 +ms.date: 12/02/2024 ms.author: ryanwi @@ -41,7 +41,7 @@ There are two types of managed identities: - A service principal of a special type is created in Microsoft Entra ID for the identity. The service principal is tied to the lifecycle of that Azure resource. When the Azure resource is deleted, Azure automatically deletes the service principal for you. - By design, only that Azure resource can use this identity to request tokens from Microsoft Entra ID. - You authorize the managed identity to have access to one or more services. - - The name of the system-assigned service principal is always the same as the name of the Azure resource it is created for. For a deployment slot, the name of its system-assigned identity is ```/slots/```. + - The name of the system-assigned service principal is always the same as the name of the Azure resource it's created for. For a deployment slot, the name of its system-assigned identity is ```/slots/```. - **User-assigned**. You may also create a managed identity as a standalone Azure resource. You can [create a user-assigned managed identity](./how-manage-user-assigned-managed-identities.md?pivots=identity-mi-methods-azp) and assign it to one or more Azure Resources. When you enable a user-assigned managed identity: - A service principal of a special type is created in Microsoft Entra ID for the identity. The service principal is managed separately from the resources that use it. @@ -56,7 +56,7 @@ The following table shows the differences between the two types of managed ident | Creation | Created as part of an Azure resource (for example, Azure Virtual Machines or Azure App Service). | Created as a stand-alone Azure resource. | | Life cycle | Shared life cycle with the Azure resource that the managed identity is created with.
When the parent resource is deleted, the managed identity is deleted as well. | Independent life cycle.
Must be explicitly deleted. | | Sharing across Azure resources | Can’t be shared.
It can only be associated with a single Azure resource. | Can be shared.
The same user-assigned managed identity can be associated with more than one Azure resource. | -| Common use cases | Workloads contained within a single Azure resource.
Workloads needing independent identities.
For example, an application that runs on a single virtual machine. | Workloads that run on multiple resources and can share a single identity.
Workloads needing pre-authorization to a secure resource, as part of a provisioning flow.
Workloads where resources are recycled frequently, but permissions should stay consistent.
For example, a workload where multiple virtual machines need to access the same resource. | +| Common use cases | Workloads contained within a single Azure resource.
Workloads needing independent identities.
For example, an application that runs on a single virtual machine. | Workloads that run on multiple resources and can share a single identity.
Workloads needing preauthorization to a secure resource, as part of a provisioning flow.
Workloads where resources are recycled frequently, but permissions should stay consistent.
For example, a workload where multiple virtual machines need to access the same resource. | ## How can I use managed identities for Azure resources?